Europaisi^^^Patentamt 

® ^JJJ European Patent Office ® Publication number: 0 334 616 

Offic europe n d s br vets A2 



EUROPEAN PATENT APPLICATION 



@ Application number: 89302812.6 (g) Int. CI 4; G 07 F 7/10 

^ G 07 C 9/00 

(22) Date of filing; 21.03.89 



@ Priority: 21.03.88 US 170734 

@ Date of publication of application : 
27.09.89 Bulletin 89/39 

@ Designated Contracting States: DE FR GB IT NL 



@ Applicant: Leighton, Frank T. 
965 Dedham Street 
Newton Center. MA 02159 (US) 

Micali, Silvio 
224 Upland Road 
Cambridge, MA 02140 (US) 

@ Inventor: Leighton, Frank T. 
965 Dedham Street 
Newton Center, MA 021 59 (US) 

Micali, Silvio 
224 Upland Road 
Cambridge. MA 02140 (US) 

@ Representative : Lawrence, Malcolm Graham et al 

Hepworth Lawrence & Bryer 15th floor Terminus House 

Terminus Street 

Harlow Essex CM201XD (GB) 



CM 
< 

to 
co 

CO 
CO 



@ Method and system for personal Identification. 

(g) The method and system of the invention utilizes a private 
key of a public-key cryptosystem key pair to encrypt a 
non-secret password into a digital signature. The password and 
the digital signature are then encoded and stored on a magnetic 
stripe or other memory device of the card. To effect a 
transaction, the digital signature on a received card must be 
shown to have been generated from the password on the 
received card. The password preferably includes a digitized 
photograph of the authorized cardholder which is capable of 
being displayed at the transaction terminal. This enables the 
operator of the terminal to verify the identity of the cardholder 
by visual inspection. 




FIG. 1A 
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METHOD AND SYSTEM FOR PERSONAL IDENTIFICATION 



TECHNICAL FIELD 

The present invention relates generally to per- 
sonal identification schemes and more particularly to 
a method and system for issuing authorized per- 
sonal identification cards and for preventing unauth- 
orized use thereof during transaction processing. 
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BACKGROUND OF THE INVENTION 

Password-based protection schemes for credit 
cards or other personal identification cards are 
welt-known in the prior art. Such cards typically 
include a memory comprising a magnetic tape or 15 
other storage media affixed to the card. They may 
also include a data processing capability in the form 
of a microprocessor and an associated control 
program. In operation, a card issuer initially stores in 
the memory a personal identification number, i.e., a 20 
secret password, as well as a value representing a 
maximum dollar amount. To effect a transaction, the 
card is placed in a terminal and the user is required 
to input his or her password. If the terminal verifies a 
match between the user-inputted password and the 25 
password stored on the card, the transaction is 
allowed to proceed. The value of the transaction is 
then subtracted from the value remaining on the 
card, and the resulting value represents the available 
user credit. 30 

Techniques have also been described in the prior 
art for protecting against the illegitimate issuance of 
credit cards such as the type described above. In 
U.S. Patent No. 4,453,074 to Weinstein, each such 
card has stored therein a code which is the 35 
encryption of a concatenation of a user's secret 
password and a common reference text. The 
encryption is derived in an initialization terminal 
through the use of a private key associated with the 
public key of a public-key cryptosystem key pair. In 40 
operation, a cardholder presents his or her card to a 
transaction terminal. The terminal decrypts the 
stored code on the card in accordance with the 
public key of the public-key cryptosystem pair. A 
transaction is effected only if the stored code 45 
decrypts into the user password, inputted on a 
keyboard by the cardholder, and the common 
reference text. 

Whiie the method described in the Weinstein 
patent provides an adequate protection scheme for 50 
preventing the fraudulent issuance of credit cards, 
this scheme requires each user to have a secret or 
■^private' password which must be memorized and 
inputted into the transaction terminal. Weinstein also 
requires additional circuitry for concatenating the 55 
user s secret password with the common reference 
text. This latter requirement, while purportedly 
required to insure the integrity of the protection 
scheme, increases the complexity and the cost of 
the system. 60 

It would therefore be desirable to provide an 
improved method for issuing personal identification 
cards using a public-key cryptosystem in which a 



''secret" password need not be memorized by the 
authorized user or concatenated with a common 
reference text to maintain the system security. 

BRIEF SUMMARY OF THE INVENTION 

The present invention describes a method and 
system for issuing authorized personal identification 
cards and for preventing the unauthorized use 
thereof using a public-key cryptosystem. 

According to one feature of the invention, each 
authorized user of a card is assigned a password 
having a portion thereof which is generated from a 
representation of some non-secret or "public" 
characteristic of the user. The password is then 
processed to produce a digital "signature" which, 
along with the password, is thereafter stored on the 
card. To authorize a transaction at a transaction 
terminal, the digital signature from a received card 
must first be shown to have been generated from the 
password on the received card. The password is 
also processed at the transaction terminal to display 
a representation of the "public" characteristic en- 
coded thereon. The public characteristic is then 
verified by an operator of the transaction terminal 
before a transaction is authorized. 

It is very difficult to create a valid signature for any 
personal data without the proper private key, 
although it is simple for anyone to verify whether or 
not the signature for a password on the card is 
authentic, even without the private key. Only a card 
issuer can thus make a valid card and only a user 
with matching personal characteristics can use the 
card. 

In the preferred embodiment, the password 
includes data representing a pictorial representation 
of a physical characteristic (e.g., the face, finger- 
print, voice sample or the like) of the authorized 
user. Alternatively, or in addition to the pictorial 
representation data, the password may contain 
other data pertinent to the user, such as the user's 
age, address, nationality, security clearance, bank 
account balance, employer, proof of ownership, or 
the like. The password may also include one or more 
codeword, each of the codewords authorizing a 
specific transaction such as permission to receive 
certain funds on a certain date, permission to see 
classified documents, permission to enter into a 
country on a certain date (i.e., a visa), attestation to 
perform certain acts, or the like. Although not meant 
to be limiting, the personal identification card may be 
a credit card, a driver's license, a passport, a 
membership card, an age verification card, a bank 
card, a security clearance card, a corporate identifi- 
cation card or a national identification card. 

In the preferred embodiment, a method for issuing 
an authorized personal identification card comprises 
the steps of generating the pictorial representation 
of a physical characteristic of the authorized user, 
processing the pictorial representation to generate a 
password, mapping the password with a predeter- 
mined function to generate a mapped password. 
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digitally signing the mapped password with a private 
key of a public-key cryptosystem pair to generate a 
signature corresponding to the mapped password, 
encoding the password and the signature with a 
predetermined function to generate an encoded 
password/signature, and storing the encoded pass- 
word/signature on a personal identification card. 

To enable an authorized user of the personal 
identification card to effect a transaction using a 
transaction terminal, the subject invention describes 
a method comprising the steps of receiving the 
personal identification card at the transaction termi- 
nal, decoding the encoded password/signature of 
the received personal identification card to generate 
a received password and a received signature, 
mapping the received password with the predeter- 
mined function to generate a mapped password for 
the received personal identification card, and digi- 
tally verifying, using the public key of the public-key 
cryptosystem pair, whether the received signature 
can be generated from the mapped password for the 
received personal identification card. If the received 
signature can be generated from the mapped 
password using the public key, the method con- 
tinues by generating an indication that the received 
signature is valid. A pictorial representation is then 
generated from the received password, and the 
pictorial representation and the indication are then 
displayed on a display of the transaction terminal to 
enable an operator thereof to verify that the user is 
authorized to effect a transaction using the personal 
identification card. 

Preferably, the digital signing routine of the 
method includes the steps of multiplying the 
mapped password "Q" by each of the four factors 
±1 modulo "M" and ±2 modulo "M", where 
M = Pi»P2- As used herein, "M" refers to the public 
key of the pubttc-key cryptosystem pair and (Pi,P2) 
refers to the private key thereof, where "Pi " and "P2" 
are secret prime numbers which are preselected 
such that only one of the four values ± Q mod M and 
±2Q mod M is a quadratic residue modulo "M". 
According to the digital signing routine, the four 
values ±Q mod M and ±2Q mod M are evaluated to 
determine which of these values is a quadratic 
residue modulo "M". The square root of the 
quadratic residue is then computed to generate the 
signature. Because the square root computation is 
extremely difficult to carry out without knowing the 
factorization of the secret prime numbers of the 
private key. unauthorized third parties are not 
capable of producing a card "signature" which, when 
digitally verified at the transaction terminal, can be 
shown to have been generated from the mapped 
password on the received persona! identification 
card. 

In accordance with yet another feature of the 
invention, a system for issuing authorized personal 
identification cards and for preventing unauthorized 
use thereof includes a plurality of issuing transaction 
terminals, each of the issuing transaction terminals 
being uniquely associated with one issuer of 
personal identification cards. Each issuer is as- 
signed or selects its own public-key cryptosystem 
key pair which may or may not be different from the 
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public-key cryptosystem key pair of every other 
issuer in the system. This arrangement, especially 
suited to a passport control system or the like, 
enables the operator of a transaction terminal to 
5 verify signatures from one or more of the issuers. 
According to a further feature of the Invention, a 
unique personal identification card is provided for 
effecting transactions via at least one transaction 
terminal. The identification card preferably includes a 
10 body portion and a memory within the body portion 
for storing a password and a signature derived from 
the password. The password includes a portion 
thereof which is generated from a pictorial represen- 
tation of a non-secret characteristic of the auth- 
15 orized user, such as the user's face. The signature is 
derived from the password with the private key of a 
public-key cryptosystem pair. 

BRIEF DESCRIPTION OF THE DRAWINGS 
20 For a more complete understanding of the 

present invention and the advantages thereof, 
reference is now made to the following Description 
taken in conjunction with the accompanying Draw- 
ings in which: 

25 FIGURE 1 is a schematic representation of 

one type of personal identification card accord- 
ing to the invention, the card having a picture of 
a physical characteristic of an authorized user 
of the identification card; 
30 FIGURE 1A is a diagrammatic representation 

of a portion of a magnetic stripe of the personal 
identification card of FIGURE 1 showing a 
"password" generated in part from the picture 
on the identification card; 
35 FIGURE 2 is a general flowchart diagram of 

the preferred method of the present invention 
for issuing an authorized personal identification 
card such as shown in FIGURE 1 ; 

FIGURE 3 is a detailed flowchart diagram of 
40 the digital signing routine of FIGURE 2; 

FIGURE 3A is a flowchart diagram of a routine 
for selecting the secret prime numbers of the 
private key (Pi.Pa): 

FIGURE 4 is a general flowchart diagram of 
45 the preferred method of the present invention 

for preventing unauthorized use of the personal 
identification card of FIGURE 1 which is issued 
according to the method of FIGURE 2; 

FIGURE 5 is a detailed flowchart diagram of 
50 the digital verifying routine of FIGURE 4; and 

FIGURE 6 is a block diagram of a representa- 
tive multi-issuer system according to the pres- 
ent invention. 

55 DETAILED DESCRIPTION 

With reference now to the drawings wherein like 
reference numerals designate like or similar parts or 
steps. FIGURE 1 is a schematic representation of a 
personal identification card 10 for use according to 

60 the present invention for effecting transactions via a 
transaction terminal. As noted above, the term 
"personal identification card" according to the 
present invention is to be read expansively and is 
deemed to cover credit cards or other commonly 

65 known forms of identification such as a passport, a 



BNSDOCID: 



^1 6A2_I_> 



5 



EP 0 334 616 A2 



6 



driver s license, a membership card, an age identifi- 
cation card, a security clearance card, a corporate 
identification card, a national identification card, or 
the like. 

Personal identification card 10 in FIGURE 1 is a 
driver s license. Card 10 includes a body portion 12 
having a display 14 and a memory 16. Although not 
meant to be limiting, the memory 16 is preferably a 
magnetic stripe or similar media, or an electronic 
memory such as PROM, affixed to or embedded In 
the card in a known manner. The personal identifica- 
tion card may or may not include an integral 
microprocessor embedded in the body portion. As 
seen in FIGURE 1, the display 14 of the personal 
identification card 10 supports a pictorial represen- 
tation 18 of a physical characteristic of the auth- 
orized user; e.g., the user's face. Of course, the 
display 14 may also display pictorial representations 
of other physical features of the user such as the 
user's fingerprint or palm print. 

Referring now to FIGURE 1A, according to the 
present invention the memory 16 of the personal 
identification card 10 preferably includes a 'pass- 
word" 20 unique to the authorized user and having a 
portion 20a thereof which is generated from a 
representation of some non-secret or "public" 
characteristic of the user. As used herein, the term 
"non-secret" refers to the fact that the representa- 
tion of the authorized user, such as the user's face, 
is readily ascertainable by viewing and comparing 
the persona! identification card and the authorized 
user directly. In the preferred embodiment, the 
section 20a of the password is a digital bitstream 
representing a digitized version of the pictorial 
representation 18 on the personal identification card 
10. 

As also seen in FIGURE 1A, the password 20 may 
include a portion 20b having data representing one 
or more personal facts about the authorized user 
such as the user's age, address, nationality, security 
clearance, employer, bank account balance, eye 
color, height, weight, mother's maiden name, or any 
other such information. This information may or may 
not be public. Moreover, the password 20 may 
further include a portion 20c having one or more 
codewords, each of the codewords authorizing a 
specific transaction such as permission to enter a 
country on a certain date, permission to receive 
certain funds on a certain date, permission to review 
certain classified documents, or one or more other 
such specific transactions. Of course, the password 
20 may include one or more of the predetermined 
types of data, 20a, 20b, and/or 20c, shown in 
FIGURE 1A. 

As also seen in FIGURE 1 A, the memory 16 of the 
personal identification card 10 also includes a 
signature 22. which, as will be described in more 
detail below, is derived from the password 20 using 
the private key of a "public-key cryptosystem" key 
pair. A "public-key cryptosystem" is a well known 
security scheme which includes two "keys." one key 
which is public (or at least the key-pair owner does 
net really care if it becomes public) and one key 
which is private or non-public. Ali such public-key 
cryptosystem pairs include a common feature — the 



private key cannot be determined from the public 
key. 

Referring now to FIGURE 2. a general flowchart 
diagram is shown of the preferred method of the 

5 present invention for issuing an authorized personal 
identification card 10 such as shown in FIGURE 1. At 
step 30, the card issuer collects the necessary 
personal data from a card applicant. Although not 
meant to be limiting, this data preferably includes a 

10 pictorial representation of a physical characteristic 
of the authorized user. For example, the data may 
include a photograph of the card applicant. At step 
32, the photograph, other personal data and/or code 
authorizations are processed to generate a pass- 

15 word as described above in FIGURE 1A. 

At step 34, the password is mapped with a 
predetermined one-way function "F" to generate a 
mapped password "Q" which may have a length 
substantially less than the length of the password. 

20 This "mapping" step is typically required to reduce 
the length of the digital bitstream comprising the 
password, especially when a digitized photograph of 
the authorized user is stored therein. By way of 
example only, the predetermined one-way function 

25 "F" may be any one or more of several well-known 
hashing functions such as one obtainable from the 
DES scheme or the Goldwasser. Micali & Rivest 
scheme. Alternatively, the function "F" may be an 
identity function which simply transfers the pass- 

30 word through step 34 without modification. The 
identity function might be used where the password 
length is sufficiently smaller than the available 
storage capability of the memory 16. 

At step 36, the method continues to "digitally 

35 sign ' the mapped password "0" with a private key 
(P^.P^) of a public-key cryptosystem pair to gener- 
ate a so-called "signature". As will be described in 
more detail below, in the preferred embodiment "Pr 
and "Pg" are secret prime numbers and the 

40 public-key cryptosystem pair includes a public key 
"M" which is equai to ''Pi«P2". At step 38, the 
method encodes the password (as opposed to the 
mapped password) and the signature with an 
error-correcting code to generate an encoded 

45 password/signature. Step 38 insures that the card 
10 wilt be usable even if some of its data is 
destroyed. At step 40, the encoded password/signa- 
ture is stored on the personal identification card in 
the manner substantially as shown in FIGURE 1 A. 

50 Although not shown in detail in FIGURE 2, it 
should be appreciated that the card issuer may 
digitally sign one or more digital signatures on the 
card 10 at one or more different times using different 
public-key cryptosystem pair keys. The card could 

55 then function as a passport with each signature 
derived from a different cryptosystem key pair 
corresponding to a different country (i.e., a visa). It 
may also be desirable in the method of FIGURE 2 to 
include an additional encryption step wherein the 

60 password is encrypted with a predetermined func- 
tion prior to the mapping step and/or where the 
signature itself is encrypted. This enables the card to 
carry information which is desired to be maintained 
highly confidential even if the card were lost or 

65 stolen. 
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Referring now to FIGURE 3, a detailed flowchart 
diagram is shown of the preferred digital signing 
routine of the present invention. As described 
above, "M" is the public key of the public-key 
cryptosystem and (Pi,P2) is the private key thereof. 
According to the routine, the secret prime numbers 
"Pi " and "P2" are selected at step 42 such that when 
the mapped password Q is multiplied by four 
predetermined factors, ±1 modulo "M" and ±2 
modulo "M," one and only one of the resulting values 
±Q mod M and ±2Q mod M is a quadratic residue 
modulo "M". The security of the preferred digital 
signing routine is based primarily on the fact that is it 
extremely difficult to compute the square root of the 
quadratic residue modulo" M" without knowing the 
factorization of M = Pi»P2. 

Referring back to FIGURE 3, at step 44 the 
mapped password "Q" is multiplied by each of the 
factors ±1 mod M and ±2 mod M. The routine 
continues at step 46, wherein each of the resulting 
values ± Q mod M and ±2Q mod M are evaluated to 
locate the quadratic residue mod "M". When this 
value is located, the routine computes the square 
root thereof at step 48 to generate the digital 
signature. 

Although not shown in detail, it should be 
appreciated that the private key may include any 
number of secret prime numbers (Pi,P2,P3,*»» Pn). 
Preferably, the secret prime numbers are selected 
according to the routine shown in FIGURE 3A. At 
step 35, an n-bit random number "xT is generated. 
The number of bits "n" needs to be large enough 
(e.g., 250 bits) such that it is difficult to factor "M". At 
step 37, xi is incremented to be congruent to a 
predetermined value, e.g.. "3 mod 8". At step 39, a 
test is made to determine if xi is prime. If so, then 
the routine continues at step 41 by setting xi = Pi. 
If xi is not prime, then xi is incremented at step 43 
(by setting xi = xi + 8) and the routine returns to 
step 39. Once Pi is selected, the routine continues 
at step 45 to generate another n-bit random number 
"X2". At step 47, X2 is incremented to be congruent 
with a second predetermined value, e.g., "7 mod 8". 
At step 49, a test is made to determine if X2 is prime. 
If so, then the routine continues at step 51 by setting 
X2 — P2- If X2 is not prime, then X2 is incremented at 
step 53 (by setting X2 = X2 + 8) and the routine 
returns to step 49. Once P2 is selected, the public 
key "M" is set equal to Pi»P2 at step 55. 

It is also desirable to store Pi and P2 in the issuing 
terminal responsible for computing signatures. 
Moreover, it is possible to distribute the private key 
(Pi,P2) from one terminal to another without any 
person being able to discern the key by using 
another public-key cryptosystem pair (for which the 
private key is known only to the receiving terminal). 
Moreover, while the digital signing routine of 
FIGURE 3 is preferred, other schemes, such as RSA, 
the Goldwasser, Micaii & Rivest scheme and/or the 
Rabin scheme, may be used. Such schemes may 
also require knowledge of the public key, although 
the routine of FIGURE 3 does not. In any case, the 
process of generating the "signature" is fast if the 
private key is known but is prohibitively slow 
otherwise. Any attempt to issue counterfeit cards is 



complicated further by the use of a one-way function 
"F" to hash the password into the mapped password 
"Q". In this way, it becomes virtually impossible for a 
counterfeiter to mount a chosen-text attack on the 
5 card generation scheme even if the counterfeiter 
couid somehow obtain signatures for fake personal 
data. 

Referring now to FIGURE 4, a general flowchart 
diagram is shown of a preferred method for 
10 preventing unauthorized use of the personal identifi- 
cation card 10 issued according to the routines of 
FIGURES 2-3. At step 50, the personal identification 
card is received at a transaction terminal. At step 52, 
the encoded password/signature is decoded to 
15 generate a received password and a received 
signature. Preferably, the method includes a step 54 
wherein errors in the received password and 
received signature are corrected in accordance with 
well-known techniques. At step 56, the received 

20 password is mapped, with the same predetermined 
function "F" used at the issuing terminal, to generate 
a mapped password "Qr for the received personal 
identification card. 
The routine then continues at step 58 to verify that 

25 the received signature is "valid". In particular, the 
method digitally verifies, using the public key of the 
public-key cryptosystem pair, whether the received 
signature can be generated from the mapped 
password "Or". If so, the method continues at step 

30 60 to generate an indication that the received 
signature is valid. At step 62, a representation is 
generated from data in the received password. This 
representation will be a picture if the original 
password stored on the card included a digitized 

35 photograph of the authorized cardholder. Of course, 
step 62 can be performed in parallel with steps 58 
and 60 so that the picture is immediately displayed 
while the signature verification takes place. Refer- 
ring back to FIGURE 4, at step 64, the method 

40 displays either the pictorial representation or the 
indication, or both, on a display of the transaction 
terminal. This display is then verified by an operator 
of the terminal at step 66 to insure that the 
cardholder is authorized to effect a transaction. 

45 It should be appreciated that the personal identifi- 
cation card generated according to the method of 
FIGURE 2 can be used in any situation requiring user 
identification. For example, and not by way of 
limitation, the authorized user can present the card 

50 to an authorized salesperson for charging a pur- 
chase. The salesperson would enter the card into 
the transaction terminal which is capable of reading 
the data from the card's memory, verifying that the 
(digital) signature on the card is valid, and displaying 

55 on the display screen information derived from the 
password. The salesperson can therefore be as- 
sured that the cardholder's identity is as claimed and 
proceed with the charge. 

Referring now to FIGURE 5, a detailed flowchart is 

60 shown of the preferred digital verification routine of 
FIGURE 3. At step 68, the routine multiplies the 
mapped password "Or" from the received personal 
identification card by each of the factors ± 1 mod M 
and ±2 mod M. The method continues at step 70 by 

65 squaring modulo "M" the received signature to 
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generate a value "X". At step 72, a test is made to 
determine whether "X" equals either ±Qr mod M or 
± 2Qr mod M. If so, the routine continues at step 74 
to generate the indication that the received signa- 
ture is valid. If "X" does not equal any one of these 
four factors, the signature Is invalid and the 
transaction is inhibited. 

Of course, the method and system of the present 
invention is easily adaptable to a multi-issuer 
scenario where several parties desire to issue cards 
using different cryptosystem pairs, but where veri- 
fiers (i.e., operators of transaction terminals) need to 
authenticate a card from any of the issuers. This can 
be accomplished by encoding the public key used by 
each issuer into each transaction terminal and then 
requiring the operator thereof to enter into the 
terminal both the identity of the issuer along with the 
card itself; alternatively, the identity of the card 
issuer can be encoded on the card. This type of 
system is shown in FIGURE 6, wherein a plurality of 
issuing terminals 76a.. .76n are provided for one or 
more independent issuers of authorized personal 
identification cards. Each of the independent issuers 
is assigned or selects a distinctive public-key 
cryptosystem pair unknown to the other issuers. As 
noted above, the public key of each such pair is then 
encoded into each of the one or more transaction 
terminals 78a... 78n which are shared by all of the 
issuers. 

The system of FIGURE 6 is useful for passport 
control, national identification cards, or multi-com- 
pany credit cards, although such applications are 
not meant to be limiting, in operation of a passport 
system, for example, each country would have 
complete autonomy over the personal identification 
cards it issues, but a single transaction terminal 
would be used to authenticate the signature (which 
could include a visa) of any country. 

Although not described in detail, it can be 
appreciated by those skilled in the art that the 
method and system of the present invention can be 
readily implemented with preexisting hardware and 
software. In the preferred embodiment, and as 
shown in FIGURE 6, each of the issuing terminals 76 
includes a microcomputer 80 and associated mem- 
ory devices 82 for storing operating programs and 
application programs for carrying out the method 
steps of FIGURE 2. Input/output devices, such as a 
keyboard 84 and display 86, are provided for 
interfacing the terminal to the card issuer. Of course, 
one or more of the method steps (e.g., the digital 
signing step, the mapping step and the encoding 
step) can be implemented in either gate array logic 
chips or software. Likewise, each of the transaction 
terminals 78 preferably includes a microprocessor 
88. associated memory 90, and appropriate input/ 
output devices such as cardreader 92, keyboard 94 
and display 96. 

While the above discussion relates specifically to 
protection schemes for personal identification 
cards, it should be appreciated that the password/ 
signature security routines of the present invention 
may also be used where the personal data is 
transmitted over a communications channel as 
opposed to being stored on an identification card 



per se. Returning back to FIGURE 6. this aspect of 
the invention is achieved by providing a communica- 
tions channel 100. e.g., a telephone link via modems, 
between an issuing terminal 76b and a transaction 
5 terminal 78a. 

In operation, the method steps of FIGURE 2 would 
be the same as previously described except that 
step 40 is deleted and a step of transmitting the 
encoded password/signature over the communica- 
te? tions channel 100 is substituted therefor. Likewise, 
step 50 of the verification routine in FIGURE 4 is 
deleted and is substituted with a step whereby the 
information provided over the communications 
channel 100 is received at the transaction terminal 
15 and then processed according to the remainder of 
the steps in Figure 4. In this way, the password/sig- 
nature method is used for persona! identification 
where the medium for supporting and transmitting 
the password and the signature is the communica- 
20 tions channel itself rather than the identification 
card. 

Although the invention has been described and 
illustrated in detail, the same is by way of example 
only and should not be taken by way of limitation. 
25 The spirit and scope of the present invention are 
limited only by the terms of the appended claims. 
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Claims 



1. A method for enabling an authorized user 
of a personal identification card to effect a 
transaction using a transaction terminal, com- 
prising the steps of: 
35 generating a password having a portion thereof 

which is non-secret; 

mapping the password using a predetermined 
function "F" to generate a mapped password; 
digitally signing the mapped password with a 
40 private key of a public-key cryptosystem pair to 

generate a signature corresponding to the 
mapped password; 

encoding the password and the signature to 
generate an encoded password/ signature; 
45 Storing the encoded password/signature on the 

personal identification card; 
receiving the personal identification card at the 
transaction terminal; 

decoding the encoded password/signature on 
50 the received personal identification card to 

generate a received password and a received 
signature; 

mapping the received password with the pre- 
determined function "F" to generate a mapped 
55 password "Or" for the received persona! identi- 

fication card; 

digitally verifying, using the public key "M" of 
the public-key cryptosystem pair, whether the 
received signature can be generated from the 
60 mapped password for the received personal 

identification card; 

if the received signature can be generated from 
the mapped password using the public key, 
generating an indication that the received 
65 signature is valid; 
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generating a representation from the received 
password; 
and 

displaying the representation and the indication 
on a display of the transaction terminal to 
enable an operator thereof to verify that the 
user is authorized to effect a transaction using 
the personal identification card. 

2- The method for enabling an authorized 
user of a personal identification card to effect a 
transaction as described in Claim 1 wherein the 
password includes data representing a pictorial 
representation of a physical characteristic of 
the authorized user. 

3. The method for enabling an authorized 
user of a personal identification card to effect a 
transaction as described in Claim 1 wherein the 
password includes data representing one or 
more personal facts about the authorized user. 

4. The method for enabling an authorized 20 
user of a personal identification card to effect a 
transaction as described in Claim 1 wherein the 
password includes one or more codewords. 

each of the codewords authorizing a specific 
transaction. 25 

5. The method for enabling an authorized 
user of a personal identification card to effect a 
transaction as described in Claim 1 wherein the 
password includes data representing a pictorial 
representation of a physical characteristic of 30 
the authorized user, data representing one or 
more personal facts about the authorized user, 

and at least one codeword authorizing a 
specific transaction using the personal identifi- 
cation card. 35 

6. The method for enabling an authorized 
user of a personal Identification card to effect a 
transaction as described in Claim 1 wherein the 
predetermined function "F" is an identity func- 
tion. 40 

7. The method for enabling an authorized 
user of a personal identification card to effect a 
transaction as described in Claim 1 wherein the 
predetermined function "F" Is a hashing func- 
tion based on a DES scheme. 45 

8. The method for enabling an authorized 
user of a personal identification card to effect a 
transaction as described in Claim 1 wherein the 
encoding step includes the step of : 

encoding the password and the signature with 50 
an error-correcting code. 

9. The method for enabling an authorized 
user of a personal identification card to effect a 
transaction as described in Claim 1 wherein the 
decoding step includes the step of: 55 
correcting errors in the received password and 

in the received signature decoded from the 
encoded password/signature. 

10. The method for enabling an authorized 
user of a personal identification card to effect a 60 
transaction as described in Claim 1 wherein the 
digital signing step includes the steps of: 
multiplying the mapped password "Q" by each 
of the factors ± 1 mod M and ± 2 mod M ; 
determining which of the four values ± Q mod 65 



M and ±2Q mod M is a quadratic residue 
modulo M, where "M" equals "Pi»P2" and Pi 
and P2 are secret prime numbers which are 
preselected such that only one of the four 
values ± mod M and ± 2Q mod M is a quadratic 
residue modulo "M" ; and 

computing the square root of the quadratic 
residue to generate the signature. 

11. The method for enabling an authorized 
user of a personal identification card to effect a 
transaction as described in Claim 10 wherein 
the digitally verifying step includes the steps of: 
multiplying the mapped password "Qr" from the 
received personal identification card by each of 
the factors ± 1 mod M and ± 2 mod M ; 
squaring modulo "M" the received signature to 
generate a value "X"; 

determining whether "X" equals either ±Qr 
mod M or ±2Qr mod M; and 
if "X" equals either ±Qr mod M or ±2Qr mod 
M, generating the indication that the received 
signature is valid. 

12. A method for issuing a personal identifica- 
tion card for an authorized user of the personal 
identification card, comprising the steps of: 
generating a pictorial representation of a physi- 
cal characteristic of the authorized user; 
processing the pictorial representation to 
generate a password; 

mapping the password with a predetermined 
one-way function to generate a mapped pass- 
word"Q" having a length substantially less than 
the length of the password ; 
digitally signing the mapped password "Q" with 
a private key (Pi,P2) of a first public-key 
cryptosystem pair to generate a first signature, 
where Pi and P2 are secret prime numbers and 
the first public-key cryptosystem pair includes a 
public key "M" which is equal to Pi •Pa; 
encoding the password and the first signature 
with an error-correcting code to generate an 
encoded password/signature; and 
storing the encoded password/signature on the 
personal identification card. 

13. The method for issuing a personal identifi- 
cation card as described in Claim 12 further 
including the steps of 

digitally signing the mapped password with a 
private key of a second public-key cryptosys- 
tem pair to generate a second signature; and 
encoding . the second signature along with the 
password and the first signature. 

14. The method for issuing a personal identifi- 
cation card as described in Claim 12 further 
including the step of: 

augmenting the password to include data 
representing one or more personal facts about 
the authorized user. 

15. The method for issuing a personal identifi- 
cation card as described in Claim 12 further 
including the step of: 

augmenting the password to include one or 
more codewords, each of said codewords 
authorizing a specific transaction using the 
personal identification card. 
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16. The method for issuing a personal identifi- 
cation card as described in Claim 15 wherein 
the personal identification card is a passport 
and each of the cryptosystem pairs corre- 
sponds to a different country. 5 

17. The method for issuing a personal identifi- 
cation card as described In Claim 12 wherein 
the digital signing step includes the steps of: 
multiplying the mapped password "Q" by each 

of the predetermined factors ±1 mod M and 10 
±2modM; 

determining which of the values ± Q mod M and 
±2Q mod M is a quadratic residue modulo "M", 
where the secret prime numbers Pi and Pa 
which are preselected such that only one of the 15 
four values ±Q mod M and ±2Q mod M is a 
quadratic residue modulo "M"; and 
computing the square root of the quadratic 
residue modulo "M" to generate the first 
signature. 20 

18. The method for issuing a personal identifi- 
cation card as described in Claim 12 further 
including the step of: 

encrypting the password with a predetermined 
function prior to the mapping step. 25 

19. A system for issuing authorized personal 
identification cards and for presenting unauth- 
orized use thereof; comprising: 

issuing terminal means for issuing a plurality of 
personal identification cards, each of said cards 30 
having stored therein a password with a portion 
thereof representing a non-secret characteris- 
tic of an authorized user of the card, each of 
said cards also having stored therein a signa- 
ture derived from the password using a private 35 
key of a public-key cryptosystem pair; and 
transaction terminal means including at least 
one transaction terminal for receiving a per- 
sonal identification card offered to effect a 
transaction using the transaction terminal, the 40 
personal identification card having a received 
password and a received signature, wherein the 
transaction terminal comprises means, using 
the public key of the public-key cryptosystem 
pair, for verifying that the received signature 45 
can be generated from the received password, 
means for generating a representation from the 
received password, and means for displaying 
the representation and an indication of whether 
the received signature can be generated from 50 
the received password to enable an operator of 
the transaction terminal to verify that the user of 
the offered personal identification card is 
authorized to effect a transaction. 

20. The system as described in Claim 19 55 
wherein the issuing terminal means includes at 
least one issuing terminal for one or more 
independent issuers of authorized personal 
identification cards, each of the independent 
issuers having a distinctive public-key crypto- 60 
system pair unknown to the other issuers. 

21 . A system for allowing authorized users of 
personal identification cards to effect transac- 
tions via at least one transaction terminal 
comprising a plurality of said cards each having 65 



stored therein a signature wich is the digital 
sign of a password associated with the respec- 
tive user, the signature stored in each of said 
cards having been derived with the same 
private key of a public-key cryptosystem pair; 
and at least one transaction terminal having 
means for controlling (1) the retrieval of the 
password and the signature stored in an 
inserted card, (2) the digital verification of the 
retrieved signature with the use of the public 
key of the public-key cryptosystem pair. (3) the 
generation of a pictorial representation from the 
retrieved password, and (4) the effecting of a 
transaction only if the retrieved signature is 
verified and the pictorial representation mat- 
ches the user. 

22. A terminal for initializing personal identifi- 
cation cards to be used with at least one 
transaction terminal, each card having a mem- 
ory therein, comprising means for assigning a 
password having a portion thereof which is 
non-secret to a user whose card is to be 
initialized, means for deriving a digital signature 
from at least a portion of the assigned pass- 
word, the signature for each user being derived 
with use of the same private key of a public-key 
cryptosystem pair, and means for controlling 
the storing in a user card of the respective 
derived digital signature. 

23. A personal identification card, for use in 
effecting transactions via at least one transac- 
tion terminal, comprising a body portion, a 
memory within said body portion for storing a 
signature, said signature being the digital sign 
of a password having at least a portion thereof 
being non-secret and being associated with the 
respective card user, said signature having 
been derived from the password with the 
private key of a public-key cryptosystem pair. 

24. A method for personal identification, 
comprising the steps of: 

generating a password having a portion thereof 
which is non-secret; 

mapping the password using a predetermined 
function "F" to generate a mapped password; 
digitally signing the mapped password with a 
private key of a public-key cryptosystem pair to 
generate a signature corresponding to the 
mapped password; 

encoding the password and the signature to 
generate an encoded password/ signature; 
transmitting the encoded password/signature 
over a communications channel; 
receiving the encoded password/signature at a 
transaction terminal; 

decoding the received encoded password/sig- 
nature to generate a received password and a 
received signature; 

mapping the received password with the pre- 
determined function "F" to generate a mapped 
password "Qr"; 

digitally verifying, using the public key "M" of 
the public-key cryptosystem pair, whether the 
received signature can be generated from the 
mapped password ; 
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if the received signature can be generated from 
the mapped password using the public key. 
generating an Indication that the received 
signature is valid; 

generating a representation from the received 
password; 



and 

displaying the representation and the Indication 
on a display of the transaction terminal to 
enable an operator thereof to verify that the 
user is authorized to effect a transaction. 
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